Anaconda Encrypted Boot IPA key Management

Summary

Owner

Current status

Completed in Fedora 13: 75%

Last update 2010-11-05

Detailed Description

Add support for saving encryption keys (to recover access to a volume when the passphrase is forgotten, or when the user leaves a company), and for creating backup passphrases (to be disclosed to the user when the user forgets the passphrase and is on the road). See Key Management for general discussion, Disk encryption key escrow use cases for specifics.

Subtasks:

Add two or three small packages (python-volume_key and volume_key-libs, perhaps python-nss) to the installation image

Add two kickstart options (#508963) to pykickstart. The options specify an URL for a certificate (to use for encryption, implicitly enables key escrow) and a "create backup passphrase" flag.

Add anaconda support: Download the specified certificates, and use the functionality provided by the *volume_key* packages and to store encryption keys or passphrases under $rootPath/root. (#510545)

Add system-config-kickstart support for the new kickstart options; needs to integrate with other planned changes to the storage configuration GUI, blocked on those.

Add FirstAidKit support for recovering access to encrypted voluems using the stored encryption keys

Target Audience

Enterprise customers want a means by which they can guarantee access to the data on encrypted block devices in employees' systems. This way they still have a way in if the user changes the device's keys/passphrases.

Product Variants / High Level Use Cases

Relevant to desktops/laptops particularly, but depending upon implementation may be interesting for other products as well e.g. to support encrypted databases, medical records protection.